In the sci-fi movie Minority Report, Chief John Anderton and others in his agency use retina scan recognition to prove their identity and enter the precrime squad building. Also in films like Star Trek, The Fifth Element, I Robot, and many other pre-2010s films which have depicted ‘futuristic’ worlds,  biometrics are used everywhere to identify people.

Fast forward to real life today, biometrics are not science fiction anymore. Firstly, because we have the technology at our disposal, but most importantly because there’s a big problem that needs to be solved: passwords – the cause of the vast majority of data breaches today. This is why today pioneering organisations are using biometrics to identify people in the most convenient ways. However, the biometrics we have seen in the movies actually are not the best for today’s internet services. In this blog, I will explore a novel approach that has emerged in recent years: finger vein biometrics.

 

What is finger vein biometrics?

Finger vein biometrics identifies a user based on the vein patterns in their fingers, which are unique to every person. It is also known as vascular biometrics, as the identifiable information is from the blood vessels beneath your skin. The magic behind it is that the haemoglobin — the iron-containing protein we all have in our blood — changes colour when it is exposed to near-infrared light or visible light. As a result, the reader can scan the user’s unique pattern of veins. The vein pattern is digitised, encrypted and securely stored on server side.

In this blog I’m using Hitachi’s finger vein biometrics solution (VeinID Five) as the benchmark, since its technology uses a standard phone/laptop webcam as opposed to needing any specialised physical hardware.

 

How does finger vein biometrics work in practice?

While all this sounds amazing, how does it work for a real person in a real situation? Let’s say Sarah wants to make a money transfer online. As with all biometrics, the first step is enrolment, which consists of reading your hand and storing that encoded information in a database (server side). I’ll point out here that your finger vein pattern is never stored – only a mathematical representation of it. From then on, Sarah will just wave her hand in front of a webcam to authenticate to the internet service and complete the money transfer. Simple and secure.

finger vein biometrics workflow

Source: Hitachi Digital Security

Finger vein biometrics has been in use for more than a decade for access control systems (people entering a building) and at ATMs (people withdrawing money), though in both cases by using a near-infrared reader device. When the world became as connected as it is today, finger vein biometrics proved its versatility and brought all its power to identify people on internet services.

Internet services can use finger vein biometrics either as the main authentication method or as a second factor method (multi-factor authentication/MFA). An example of MFA would be a user signing in with a password or social media login (first factor), but also needing to complete finger vein authentication (second factor) in order to gain access, increasing security.

 

Main benefits of finger vein biometrics

For benefits of biometrics in general, see this blog: Biometric authentication: 5 business benefits. Finger vein biometrics also has numerous further benefits; these are the ones that I consider to be the top five:

  1. No special hardware required. (Again – specific to Hitachi VeinID Five.) The 720p camera you have in almost every smartphone or laptop is sufficient to read your vein patterns, saving a lot of money for people and organisations compared to requiring any specialised reader hardware.
  2. Finger vein patterns are perennial. Finger vein patterns remain the same for many years; they don’t usually change. As a result, users don’t need to re-enrol down the line.
  3. Personal data is never stored. In these times of many data breaches and cybercrimes, it is critical that personal data is well protected. Finger vein biometrics handles only a mathematical representation of the personal data (finger vein pattern). This information is securely transmitted to the identity repository (CIAM system) and stored encrypted. No data is stored on the device, so if the device is stolen your biometrics are safe.
  4. Unlikely to be forged. As the captured image of the finger veins is never stored, nobody can steal, copy and forge your unique pattern to impersonate you. This is very different to a password, which can easily be guessed/stolen.
  5. No physical contact needed. Unlike fingerprint biometrics, there’s no need to touch any surface. Authentication is complete with a ‘wave’ to the camera. Finger vein biometrics is a hygienic method for today’s Covid and the post-Covid world.

 

Finger vein biometrics vs. fingerprint biometrics

So how different is finger vein biometrics to fingerprint biometrics? You might be thinking, my smartphone or laptop already has a fingerprint reader, and a few mobile apps already use it to authenticate me; isn’t the problem already solved?

Certainly, fingerprint authentication is already available both in mid-range smartphones and in high-end laptops. But although fingerprint biometrics also reads biological traits of our fingers, the method is much less reliable. Let us analyse this from three perspectives:

  1. Fingerprint biometrics is controlled by the device manufacturer (e.g. Apple, Lenovo, Samsung) and not by the application or the authentication service. Applications have to trust whatever the phone or laptop sends as the authentication response. The company or organisation that owns the application does not have any control of the reliability of the verification. Contrastingly, finger vein biometrics are tied to an individual and not a device (and therefore can be used across multiple devices).
  2. Built-in phone biometrics were designed for convenience, not for strong security. The accuracy of biometrics methods can be measured and fingerprint recognition shows a high false rejection rate (FRR) and low false acceptance rate (FAR). In contrast, finger vein biometrics has both a superior FRR and FAR.
  3. Fingerprints can be forged – easily copied and later used to impersonate an individual. When a person touches a surface, their fingerprint is often left behind and criminals can copy it in order to steal the person’s identity. These leaks are not possible with finger veins, which again makes the duplication risk (and therefore unauthorised service access) extremely low.

 

Finger vein biometrics use cases

As of 2021, many internet services still lack a secure and convenient way of identifying users. The market needs a solution like this. Nearly every person now has a mobile phone with 720p camera (or better!). That’s a massive advantage for finger vein biometrics.

Finger vein biometrics is a formidable authentication method. However, its full power is unleashed when combined with Customer Identity and Access Management (CIAM). Let’s review three of these real-life scenarios.

Use case 1: Confirm a payment

A lot of financial services now have mobile apps. With many, you can open an app on your phone and quickly authenticate yourself by means of a password, or with your social media login. This is convenient to quickly check your account balance, or check if a refund has been credited etc. However, if you’re going to complete a higher-risk transaction – e.g. transfer money or make a big payment – you want to make sure that this is secure. Such a transaction requires stronger authentication than your password or social media login, so you can ‘step up’ the authentication to require finger vein biometric authentication at this point only. This reduces friction for simple tasks, while better securing high risk tasks.

Use case 2:  Identity delegation

In this scenario, an administrator user gives power (delegate authority and access/rights) to another user to accomplish a task or take over a role. But before the second user takes this power, they have to prove their identity using strong authentication. This is where finger vein authentication comes into play. A remote employee receives an invitation to take the role of ‘purchasing assistant’ in an e-commerce service. They will first use finger vein biometrics to enrol in the system, then in the future they will complete purchases (according to the level of rights delegated to their identity) by holding their hand up to the camera and authenticating with finger vein authentication.

See a similar delegation with finger vein biometrics in action here.

Use case 3: Single Sign-On (SSO)

Today it is very rare that an organisation has just one internet service. The opposite is commonplace: many web services and mobile applications from one organisation. Using single sign-on with finger vein biometrics would allow users to seamlessly use SSO to easily switch between a financial planning application, an e-commerce site and another application without a new login. They don’t need a different set of credentials for each service. SSO is particularly powerful for financial services as it allows customers to be strongly authenticated and ready to access several services with one authentication.

See SSO with finger vein biometrics in action here.

 

Try finger vein biometrics for yourself

Overall, finger vein biometrics is a reliable and convenient authentication method for internet services that beats fingerprint biometrics and other authentication methods.

The ubiquity of cameras on smartphones, tablets and laptops makes finger vein biometrics a solution that can be leveraged by any kind of service, for a wide range of users. Combine it with Customer IAM and you can see solid use cases that allow you to get the most benefits from this solution.

Try Hitachi VeinID Five finger vein biometrics and Ubisecure IDaaS (SaaS-delivered CIAM) for yourself in a free 30-day trial. Start your free, no-commitment trial here.